Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Thursday, December 31, 2015

Ukranian power grid hacked, details sketchy

Last week, the Ukrainian power grid was hacked. I found out through the wonderful SCADASEC mailing list. Although the details are a little sketchy, this online news article has the details. Since it wasn't in English, I put it through Google translate to get something resembling English back out.

On Wednesday 23 December due to technical failures in the "Prykarpattyaoblenergo" half remained without electricity Ivano-Frankivsk region and part of the regional center. The company for no apparent reason began to disconnect electricity.

The reason was hacking, virus launched from outside brought down management system remote control. Restore the electricity supply specialists managed only six hours.
As a result of the attacks have been partially or completely de-energized Ivano-Frankivsk, Gorodenka, Dolyna, Kolomiysky Nadvirnyans'kyi, Kosovo, Kalush, Tysmenytsya of Yaremche districts and zones.

Energy did not immediately understand the causes of the accident. Central dispatching suddenly "blind". "We can say that the system actually" haknuly. " This is our first time working ", - reported in" Prykarpattyaoblenergo. "

Restored work station manually, as infected system had to turn off.

At the time of inclusion network "Prykarpattyaoblenergo" was still infected with the virus, experts have worked to defuse it. Did this PreCarpathian experts still unknown.

It is Ukraine's first successful cyberattack on the public enterprise supply of energy.

This is more than a little frightening. At Rendition Infosec, we've evaluated security in numerous ICS and SCADA environments and the results are usually terrifying to say the least. The reality is that much of the public sector utility equipment was never engineered with network security in mind. We all know that when security is an afterthought, the outcome is predictably horrible.

We predict that in the future, we'll see more disruptive attacks against SCADA systems controlling our utilities. Some of these attacks will be from relative script kiddies just flexing their muscles against poorly secured systems. Other attacks are likely to come from state actors using utility disruptions for economic or political gain.

If you are in control of SCADA systems, make sure that they are as secure as possible. Network segmentation goes a long way towards security. ICS systems have no place operating on the same network segments as user systems. Though many SCADA controllers have VNC built in for remote management, VNC should never be exposed to the open Internet. Telnet should never be exposed either. But despite common sense rules such as these, we regularly see them in assessments. Secure your ICS systems so some Ukrainian doesn't use Google Translate to read about your security failures like we just did for them.

Update: I actually wrote this late last night and then overnight, Chris Sistrunk posted this Reuters article with additional details. Chris apparently also broke the original story to the SCADASEC mailing list. Definitely worth looking at.